Firstly, a maliciously constructed “.exe” can be built to display an PDF icon, so it looks like PDF default reader will open this file. If the filename is really long then, you can't see the extension (see image below).
2ndly and may not be so obvious, malicious PDF filename is constructed as with a right-to-left override character is such a way that the file ends ".pdf" extension, but really is an ".exe".
So in example below, the 2nd file looks like a ".txt" file, but is really a ".docx" file (the 1st file). The 1st file has been cleansed of the RTL Unicode character, and ends in ".docx".
Here's the same files as viewed from the command (cmd.exe) line. The box character represents the RTL character.
How is RTLO being abused by malware writers?
RTLO can be used to spoof fake extensions. To do this we need a hidden RTL Unicode character in the file name.
Here's a tool I built to clean up Right-to-Left Mark (and many others) and Unicode Control Characters from your files. It's super fast, small and written in native C++.
Updated Thu 21-Apr-22 - new build, fixed many recursive issues
Download touchRTL.7z (you need https://www.7-zip.org/ to unpack). For personal use only. Copy into c:\windows to use from cmd.exe.
touchRTL.7z personal use only, for commercial use buy touchLTRPRO. Contact as validated today available for license request.
Just run this command and it will recursively rename filenames to remove those characters under the specified directory name. If directory name, contains spaces you need quotes.
touchRTL -v -R -l -y "directory name"
where
Usage: touchRTL [-aclmpRuvxy] [-r REFFILE | -d DATETIME] PATH... UNIX touch mimic, updates files access, modification and creation times of file(s) in PATH to the current time, If PATH argument does not exist, creates corresponding new empty file or directory (using -y), unless -c or --n Supports directory recursion and time stamping! Supports Right-to-Left (RTL) character removal for files. PATH argument can represent a filename(s) or directory. Double quote if it contains spaces. eg "c:\as is.txt" -a, --access-time change only the file access time -c, --no-create do not create any new files - If the file exists, touch will update the access time, -l, --RTL remove Unicode control & format characters (esp. infamous right-to-left) from filena -m, --modif-time change only the file modification time -p, --pause-exit pause on exit (non-GNU extra) -R, --recursive recursively touch files in specified directory and all subdirectories (non-GNU extra -u, --unicntrl remove Unicode control characters only - https://www.fileformat.info/info/unicode/ca -v, --verbose output the result of every file processed (non-GNU extra) -x, --creation-time change only the file creation time (non-GNU extra) -y, --directory specify directory, instead of default file -r, --reference REFFILE use this file's times instead of current time -s, --spaces (PRO edtn) remove Unicode spaces from filename -!, --puncs (PRO edtn) remove Unicode punctuations & symbols (math & modifiers) from filename -d, --date DATETIME use YYYY-MM-DDThh:mm:ss[.ms] instead of current time (non-GNU, does not parse string accepted "2033-04-01T07:07:07", "2033-04-01 07:07:07" -h, --help Display this help and exit. --version Display version information and license information. For personal use only. Commercial license required for business use and removes page open. See --version for al Copyright © 2019-2022 M. Pahulje <metadataconsult@gmail.com> - https://http://metadataconsulting.blogspot.com/